Improper Privilege Management in dotcms/core


Reported on

Dec 6th 2021


Hello team, I found a SSTI that allow me to get Full Privilege Escalation (system user)

  1. While editing a template we have total access to the User and UserModel classes via $user
  2. One of the UserModel methods is called setUserId
  3. If we call setUserId and pass "system" as parameter we get access to the system user role
  4. To exploit this flaw we need a user with the following permissions/role:
    • Active; Back-end User
    • Back-end Users need the following permissions:
      • View: Sites, Pages, Templates
      • Edit: Templates

The exploitation is easy, but the user permissions/role is a little hard to set, so I made a video showing how to set the permissions and exploit the flawa

Proof of Concept


Youtube link unlisted


We can get full access to the application with a user with little privileges

We are processing your report and will contact the dotcms/core team within 24 hours. a year ago
We have contacted a member of the dotcms/core team and are waiting to hear back a year ago
a year ago


Just a clarification, this change is not saved in the database, only during the session, if you log out you will "lose" the permissions again. After getting the permission you want you can change your user to CMS admin directly through the interface, or you can redo the attack whenever you login

We have sent a follow up to the dotcms/core team. We will try again in 7 days. a year ago
Will Ezell validated this vulnerability a year ago
Vinicius Ribeiro Ferreira da Silva has been awarded the disclosure bounty
The fix bounty is now up for grabs
Will Ezell marked this as fixed in 21.12,, 21.06.04 with commit 2c9b40 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago


Hy Will, can i request a CVE for this report? I think the flaw is serious enough

to join this conversation